Newsletter
05.24.2021 | 6'' read
More mysterious Android, MacOS zero-day attacks
[ Security Conversations thanks the following sponsors for supporting the production of our high-signal, low-noise coverage of the cybersecurity industry: Uptycs (SQL-powered security analytics), Eclypsium (firmware security), Symmetry Systems (data visibility and protection), MongoDB (general purpose database platform) and SecurityWeek (enterprise security news and analysis ]
Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
Monday blues.
I know it’s tough to get excited about another freakin’ virtual event but I wanted to flag this really strong agenda at this week’s Threat Intelligence Summit for your awareness. I’ll be kicking off the day tomorrow with a fun live fireside chat with Thomas Rid, professor of strategic studies at Johns Hopkins School of Advanced International Studies.
The author of Active Measures: The Secret History of Disinformation and Political Warfare will join me to decipher the threat-intelligence discipline, nation-state connections to ransomware attacks, supply chain security implications, and the nuance of properly describing certain types of security incidents.
On Wednesday, I’ll be moderating a separate discussion with threat-intelligence practitioners on the currency of IOCs and how crowdsourced data can drive threat hunting at scale. Discussion victims include Gusto CISO Fredrick ‘Flee” Lee, Armorblox CTO Rob Fry and Prevailion CTO Nate Warfield.
Separately, there’s a really strong talk by Microsoft’s John Lambert on the evolution of data sharing, an ‘inside story’ presentation from Volexity’s Josh Grunzweig on he Microsoft Exchange hack, and an all-CISO panel on connecting threat intelligence to securing the software supply chain.
Needless to say, I can’t recommend this event enough tomorrow and Wednesday. Even the sponsor sessions look particularly interesting (imagine!).
More mysterious Android/MacOS zero-day attacks
The deluge of zero-day attacks hitting victims across all major computing platforms is more eyebrow-raising everyday. Just this week, Google quietly updated an Android bulletin to add the dreaded “may be under lim ited, targeted exploitation” language but, as is the norm, there are no IOCs or any documentation to help defenders.
Shout-out to Ars Technica scribe Dan Goodin for calling out on the vague, meaningless language that leave defenders more puzzled and protected. Google’s Shane Huntley not only joined the discussion with an explanation of sorts, but he DM’d me his tweet to make sure I saw that Google was aware of the frustrations.
“We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can,” Huntley explained.
Several Googlers privately cited the “potential exposure of sources and methods” reality as the main reason for the lack of transparency around IOCs and other useful data.
While I was blinking through scribbling this note, I just noticed that Apple just dropped another batch of MacOS patches with the mysterious “this issue may have been actively exploited” buried in a bulletin. Nothing more. Just that an attack happened, and here’s a patch, and good luck.
We’ve somehow normalized this, because big companies like Google and Apple refuse to set a better standard. And the beat goes on, week after week, month after month.
_ryan
On to the newsletter.
- The most clicked link from last week’s issue was Tencent Keen Lab’s hack of the Mercedes Benz infotainment system that produced five CVEs (4 remote code execution).
This is an important conversation. Give it a listen!
A sample of upcoming guests.
- Collin Greene, head of product security, Facebook.
- Heather Adkins, information security leader, Google
- Michael Laventure, threat intelligence, detection and response, Netflix
- Anne Marie Zettlemoyer, vice president, security engineering, Mastercard
Full conversations are available on the SecurityConversations.com home page, and on all major platforms — Apple, Google, Spotify and Amazon.
[ Uptycs sponsor message: Going on the ATT&CK versus FIN7 and Carbanak ]
The most recent MITRE ATT&CK evaluation round focused on the FIN7 and Carbanak threat groups. In this 40-minute on-demand discussion, I get a first-hand look at how Uptycs platform not only detects the activity of these groups but also provides the context that analysts need to quickly understand how signals are tied together. Catch the discussion here.
The ransomware epidemic is causing some major hiccups in the cybersecurity insurance market and the U.S. government’s watchdog group is warning that insurers are jacking up premiums and cutting back on coverage in healthcare and education.The U.S. GAO issued a 26-page report (pdf) with a few major warnings:
“Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10–30 percent in late 2020.”
“Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.”
“The continually increasing frequency and severity of cyberattacks, especially ransomware attacks, have led insurers to reduce cyber coverage limits for certain riskier industry … and for public entities and to add specific limits on ransomware coverage.”
DarkReading‘s Rob Lemos has related coverage of global insurer AXA refusing to reimburse French companies for ransomware extortion payments to cybercriminals. This news comes right after another insurance powerhouse CNA Financial confirmed it shelled out $40 million to purchase decryption keys to help with a ransomware attack.
Meanwhile, when marketing trumps security, we end up with stories like this. Sigh.
Tangentially.
- Must-read: Cryptocurrencies are multi-level marketing schemes for tech dudes.
- The Black Hat 2021 agenda is starting to fill out and looks pretty strong, especially the hardware/embedded track.
Have a fantastic week.
_ryan
PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.